Tag Archives: electronic health records

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Here’s a scary reminder: There are people attempting to hack into electronic health systems every second of every day. Thankfully, most of these attempts are unsuccessful due to the preventive technologies in place to safeguard such information. However, electronic data will never be 100 percent secure.

Electronic health records promised was intended to be a tool for doctors to share patient data, reduce prescription drug errors, and allow patients convenient access to their records. However, since the transition to digital medical records, there have been concerns from patients about privacy, security and identity theft.

Recently, the Office for Civil Rights (OCR) announced that the agency will ramp up its Health Insurance Portability and Accountability Act (HIPAA) privacy and security audit program in 2015 for covered entities and business associates. These audits will focus on device encryptions, media controls, data transmission security protocols, and staff training on HIPAA policies and procedures.

Now is the time to ensure compliance.

Real World Privacy Breaches Happen All the Time.

On December 2, 2014, OCR and Anchorage Community Mental Health Services, Inc. (ACMHS), settled alleged violations of the HIPAA Security Rule. OCR started an investigation into ACMHS’s compliance with HIPAA after receiving a notification about a breach of unsecured electronic patient information affecting 2,743 individuals. The breach resulted from malware that compromised ACMHS’s information technology resources. According to the settlement, ACMHS must pay a $150,000 fine and enter into a resolution agreement and corrective action plan (CAP).

In November 2014, Beth Israel Deaconess Medical Center in Massachusetts agreed to a $100,000 settlement after a physician’s laptop was stolen from the hospital. The computer was not issued by the hospital and had not been encrypted in accordance with the hospital’s policies. However, the hospital was aware that the physician used the device. The laptop contained the health information and personal information, including Social Security numbers, of nearly 4,000 individuals. It’s alleged the hospital took three months to notify affected patients about the breach, which is a violation of HIPAA. (HIPAA requires such notifications to take place within 60 days.)

Tips to Protect Yourself and Your Business.

Again, the HIPAA audit program will be resuming after the first of the year. Accordingly, hundreds of covered entities and business associates will be receiving inquiries that could lead to an onsite audit. The audit requirements will be very difficult for organizations that have not planned in advance. Here are three easy-to-implement steps to prepare your practice.

1. Review the latest HIPAA policies and procedures. Make sure your office is meeting the latest privacy and security criteria. Identify gaps, update documents, and retrain staff on HIPAA policies and procedures. Don’t forget to document your educational efforts. Click here for a link to the latest policies and procedures.

2. Contact your business associates. Ask each of them to provide your practice with an updated Business Associate Agreement and list of all subcontractors they use. For business associates, the 2015 HIPAA audits will focus on risk analysis, risk management and updated policies and procedures for breach notification.

Also, a violation of the HIPAA privacy and security provisions does carry civil and criminal penalties. Anyone who is a health care professional or facility, should be aware of these legal provisions. Click here to read my previous blog.

HIPAA is Not One Size Fits All.

Protecting patient data is not a one-size-fits-all method, meaning that security measures and access to electronic records should not necessarily be uniform. There needs to be processes and check points in place at practices to ensure that the electronic health record system and its many users consistently meet HIPAA policies and procedures. Health care practices must be vigilant that when they integrate other medical practices and facilities into their organization that they extend these measures to incorporate new employees, new sites and locations, and various technologies.

As demonstrated throughout this blog, the risks of non-compliance simply outweigh the costs of sound preparation. If you’d like more information, contact a health law attorney experienced in these matters.

Comments?

Are you worried about the next round of HIPAA audits? Are you concerned about HIPAA violations? How are you ensuring compliance within your practice? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. http://www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

In November 2013, a physician satisfaction study, sponsored by the American Medical Society (AMA), was published. In the study, physicians stated one of the most hated items in the medical industry is the electronic health record (EHR). According to physicians, EHRs are time-consuming, they hinder the physician-patient relationship by dividing the physician’s attention, they require health care professionals to perform tasks below their level of training, and EHRs can decrease efficiency in the practice.

Now there is a trend in the medical industry that allows physicians and health care practitioners to complete all their EHR documentation without ever having to touch a computer. According to an article in The New York Times, many medical practices and emergency rooms are hiring medical scribes to ease physicians’ note-taking responsibilities.

What is a Scribe?

A medical scribe is an unlicensed, trained medical information manager specializing in charting physician-patient encounters during the medical exams. A scribe enters information into the EHR at the direction of the physician or health care practitioner. Scribes can also support workflow and documentation for medical record coding.

Duties of a scribe vary by the practice. Some common duties include:

– Documenting procedures performed by the physician;
– Reviewing patient evaluation data for comparison and transcribing the results;
– Recording physician-dictated diagnoses, prescriptions and instructions for discharge; and
– Recording a provider’s consultations with other health care professionals.

Benefits of a Scribe.

According to an article in The New York Times, there are an estimated 10,000 scribes currently working in hospitals and medical practices around the country. In the same article physicians using scribes stated that they are more satisfied with their choice of career because the scribe allows the physician to concentrate on treating patients. Physicians also stated that by using scribes they can see up to four extra patients a day. Other benefits include, a reduced amount of clerical work for doctors, and better record keeping.

The growing medical scribe industry has yet to come together on a unified training and certification process. While the practitioner is ultimately responsible for the record, scribes should be trained to have a basic understanding of the EHR documentation guidelines, according to a Medical Economics article. Furthermore, there are specific signature requirements to be used when scribes are utilized, according to Medical Economics.

Some signature requirements for scribes include:

– Signing and dating all entries into the medical record. The role and signature of the scribe must be clearly distinguishable from that of the physician or licensed practitioner.
– The physician or licensed practitioner must authenticate the entry by signing, dating, and recording the time. A physician signature stamp is not permitted for use in the authentication of scribed entries.
– The authentication must take place before the physician and scribe leave the patient care area.
– If the organization determines that the scribe will be allowed to enter orders into the medical record, those orders entered into the medical record cannot be acted on until authenticated by the physician.
– The medical practice should implement a performance improvement process to ensure that the scribe is not acting outside of his or her job description, authentication is occurring as required, and that no orders are being acted on before they are authenticated.

When adding scribes to your practice, it is important to consult the guidelines laid out by state boards and other regulatory authorities in order to develop compliant scribe policies. Knowing your state’s requirements is key to reducing legal dangers and defending potential claims.

In most states, medical assistants are allowed to perform more patient care activities than a scribe is. For example, see the list contained in Florida Law, Section 458.3485, Florida Statutes. On the other hand scribes are, in effect, merely medical transcriptionists. However, each job may prove to be a gateway to the other job. A well-trained medical assistant may make an excellent scribe and be of great assistance to the physician. An experienced medical scribe may make an excellent medical assistant, being familiar with medical terminology and patient care.

Contact Experienced Health Law Attorneys.

The Health Law Firm routinely represents physicians and medical groups on EHR issues. It also represents pharmacists, pharmacies, physicians, nurses and other health providers in investigations, regulatory matters, licensing issues, litigation, inspections and audits involving the DEA, Department of Health (DOH) and other law enforcement agencies. Its attorneys include those who are board certified by The Florida Bar in Health Law as well as licensed health professionals who are also attorneys.

To contact The Health Law Firm, please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

Comments?

What do you think about the use of scribes in the medical practice? Do you or have you ever used a scribe? What are the benefits or pitfalls of using a scribe? Please leave any thoughtful comments below.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

By Michael L. Smith, R.R.T., J.D., Board Certified by The Florida Bar in Health Law, and George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On December 6, 2013, the Centers for Medicare and Medicaid Services (CMS) announced a revised timeline for the implementation of Stage 3 meaningful use measures for the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs.

According to CMS, Stage 2 will be extended through 2016, and Stage 3 will begin in 2017 for those hospitals, physicians and other eligible providers that have completed at least two years of Stage 2 meaningful use. These changes affect two groups of eligible providers: providers who started Stage 1 in 2011, and who are currently scheduled to start Stage 3 in 2016, and those providers who started Stage 1 in 2012, and who are scheduled to start Stage 3 in 2016.

This announcement does not change when providers must start Stage 2, nor does it affect the requirement for hospitals and critical access hospitals to upgrade to EHR technology to receive incentive payments. The Medicare and Medicaid EHR incentive programs are staged in three steps with increasing requirements for participation. Eligible providers who do not meet meaningful use requirements will still be penalized with reduced Medicare reimbursement starting January 1, 2015.

According to Modern Healthcare, CMS stated that the goal of the timeline change is two-fold. First, to allow CMS and the Office of National Coordinator (ONC) to focus on assisting providers to meet Stage 2 demands for patient engagement, interoperability and information exchange, as well as use data collected during the phase to inform policy decisions for Stage 3.

CMS expects that it will release a notice of proposed rulemaking for Stage 3 in the fall of 2014, and the corresponding ONC notice for proposed rulemaking for the 2017 Edition of the ONC Standards and Certification Criteria will also be released at that time. Click here to read the entire article from Modern Healthcare.

What this Means for You.

If you begin participation with your first year of Stage 1 for the Medicare EHR Incentive Program in 2014:

– You must begin your 90 days of Stage 1 of meaningful use no later than July 1, 2014 and submit attestation by October 1, 2014 in order to avoid the 2015 payment adjustment.

If you have completed one year of Stage 1 of meaningful use:

– You will demonstrate a second year of Stage 1 of meaningful use in 2014 for a three-month reporting period fixed to the quarter for Medicare or any 90 days for Medicaid.
– You will demonstrate Stage 2 of meaningful use for two years (2015 and 2016).
– You will begin Stage 3 of meaningful use in 2017.

If you have completed two or more years of Stage 1 of meaningful use:

– You will still demonstrate Stage 2 of meaningful use in 2014 for a three-month reporting period fixed to the quarter for Medicare or any 90 days for Medicaid.
– You will demonstrate Stage 2 of meaningful use for three years (2014, 2015 and 2016).
– You will begin Stage 3 of meaningful use in 2017.

Contact Experienced Health Law Attorneys.

The Health Law Firm routinely represents physicians and medical groups on EHR issues. It also represents pharmacists, pharmacies, physicians, nurses and other health providers in investigations, regulatory matters, licensing issues, litigation, inspections and audits involving the DEA, Department of Health (DOH) and other law enforcement agencies. Its attorneys include those who are board certified by The Florida Bar in Health Law as well as licensed health professionals who are also attorneys.

To contact The Health Law Firm, please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

Comments?

What do you think of the revised timeline for the implementation of Stage 3 meaningful use? Will this affect you? If so, how? Please leave any thoughtful comments below.

About the Authors: Michael L. Smith, R.R.T., J.D., is Board Certified by The Florida Bar in Health Law. He is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. http://www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. http://www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The Department of Health and Human Services (HHS) Office of Inspector General (OIG) is concerned about healthcare providers carelessly copying and pasting clinical notes in electronic health records (EHRs). According to an audit report released on December 10, 2013, copying and pasting in EHRs can lead to fraudulently duplicated clinical notes, which can be considered healthcare fraud. This practice is allegedly widespread across medicine, according to a Modern Healthcare article. Federal officials say there is a need to crackdown on this behavior.

This is the first of two reports on fraud and vulnerabilities in EHR systems. The second report from the OIG will be on weaknesses in how the Centers for Medicare and Medicaid Services’ (CMS) payment contractors monitor for fraud in EHRs. This report is scheduled to be published soon.

Report Looks at Hospital Policies Regarding Copy-and-Paste Features.

The audit report studied 864 hospitals that had received subsidies for EHR systems as of March 2012. Out of those hospitals, only twenty-four percent (24%) had any policy regarding the improper use of copying-and-pasting in EHRs. The report concluded that too few hospitals actually have policies defining the proper use of copy and paste in EHRs.

According to Modern Healthcare, adoption of EHR systems has coincided with a rapid rise in higher-cost Medicare claims. This has led to officials looking into whether EHRs are enabling illegal upcoding. Officials say that EHR features such as copy and paste make it too easy to bill for work that wasn’t actually performed and help increase reimbursements, according to Modern Healthcare. Click here to read the entire article from Modern Healthcare.

In the report the HHS OIG recommends that the CMS strengthen its efforts to develop a comprehensive plan to address fraud vulnerabilities in EHRs. It was also suggested that CMS develop guidance on the use of the copy-paste feature in EHR technology.

Tips to Help Avoid Copy-and-Paste Errors.

Tools commonly available in EHRs that allow physicians to copy and paste patient information should be used with extreme care, according to an article on American Medical News. The article offers health care providers some guidelines to help avoid errors related to copying and pasting.

– Note important results with proper context, and document any resulting actions. Avoid wholesale inclusion of information readily available elsewhere in the EHR because that creates clutter and may adversely affect note readability.

– Review and update as appropriate any shared information found elsewhere in the electronic record (e.g., problems, allergies, medications) that is included in a note.

– Include previous history critical to longitudinal care in the outpatient setting, as long as it is always reviewed and updated. Copying and pasting other elements of the history, physical examination or formulations is risky, as errors in editing may jeopardize the credibility of the entire note.

The practice of copying and pasting previous information without checking can be considered careless and potentially dangerous to patients. It can be problematic when there are multiple teams taking care of one patient and using the chart to communicate. The right way is to make sure everything in the note you sign accurately reflects what happened on your shift.

In the report the HHS OIG stated that copy-and-paste features in EHRs will be under additional scrutiny. By knowing where the enforcement focus will be, providers can attempt to avoid copy-and-paste practices that are likely to lead to audits. Additionally, providers can beef up compliance efforts and policies.

Contact Health Law Attorneys Experienced in Handling Medicare and Medicaid Audits, Investigations and other Legal Proceedings.

The attorneys of The Health Law Firm represent healthcare providers in Medicare audits, ZPIC audits and RAC audits throughout Florida and across the U.S. They also represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in Medicare and Medicaid investigations, audits, recovery actions and termination from the Medicare or Medicaid Program.

Don’t wait until it’s too late. If you are concerned of any possible violations and would like a consultation, contact a qualified health attorney familiar with medical billing and audits today. To contact The Health Law Firm please call (407) 331-6620 or (850) 439-1001 and visit our website at http://www.TheHealthLawFirm.com.

Comments?

In your practice do you use an EHR system? Have you had any issues with copying and pasting clinical notes? Does your practice have a copy-and-paste policy? Please leave any thoughtful comments below.|

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. http://www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

A small physician group has reached a settlement with the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) over alleged Health Insurance Portability and Accountability Act of 1996 (HIPAA) violations. The settlement was reached on April 17, 2012 and requires Phoenix Cardiac Surgery (PCS) to pay OCR $100,000 and enter into a one-year corrective action plan (CAP).

OCR’s investigation of PCS was launched in 2009 after a complaint was received. Click here to view a HIPAA complaint that you can file online. The complaint alleged that PSC had disclosed protected health information (PHI) on patients on the Internet. After investigating the complaint, the OCR alleged that PCS violated the HIPAA privacy and security rules. According to the OCR, PCS posted clinical and surgical appointments on a publicly accessible, Internet calendar. The OCR also alleged that PCS employees e-mailed protected health information to their personal e-mail accounts.

Furthermore, PCS allegedly did not have adequate administrative, physical and technical safeguards in place to protect patient data. The OCR alleged that PCS did not appoint a security officer as required by HIPAA or perform an accurate and thorough risk assessment, also required by HIPAA. The CAP required by the settlement will require PCS to implement policies to ensure full compliance with HIPAA’s privacy and security rules.

Are You In Compliance with HIPAA?

The Health Insurance Portability and Accountability Act of 1996, sometimes referred to as the Kennedy-Kassenbaum Act, was enacted into law as Public Law (P.L.) 104-191, 110 Stat. 1936. Among its many different provisions, it included basic minimums to ensure the privacy of personal medical information. Its main privacy provisions are codified in federal law in different sections of the U.S. Code.

Medical Practices Should Use Caution When Working With Electronic Health Information

This case provides a good example of the downside of information technology (IT). While electronic health information assists in increasing accessibility and efficiency, it can also increase a practice’s risk of violating HIPAA’s Privacy Rule and Security Rule.

All medical practices that utilize electronic health information need to ensure that they have effective IT security, education, policies and procedures in place to protect themselves from HIPAA’s violations.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.